Blog

Vulnerabilities Found In Consumer Based Routers And Devices

The SOHOpelessly Broken 2.0 study has been released by Independent Security Evaluators .

The picture it paints of routers and the so-called 'smart' devices that make up the rapidly expanding Internet of Things (IoT) is not pretty.

The researchers sum up their findings as follows:

"Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices."

The research team investigated several SOHO routers and NAS devices offered by a range of manufacturers, including:

ASUS

Asustor (a subsidiary of ASUS)

Buffalo

Drobo

Lenovo

Netgear

QNAP

Seagate

Synology

TerraMaster

Xiaomi

Zioncom

Zyxel

Sadly, devices from every manufacturer listed above had at least one web app vulnerability that could allow a remote attacker to gain access to the administrative panel of the device in question. Worse, the researchers reported that they were able to obtain root shells on 12 of the devices, giving them complete control. In six cases, they were able to gain complete control remotely and without authentication.

The most at-risk routers the group tested are the:

Asustor AS-602T

Buffalo TeraStation TS5600D1206

TerraMaster F2-420

Drobo 5N2

Netgear Nighthawk R9000

TOTOLINK (Zioncom) A3002RU

Since the publication of the SOHOpelessly Broken 1.0 report, the research team did say that the general state of security on IoT devices had improved somewhat. That's a low bar given the sorry state of IoT security to begin with. While things have no doubt improved, there are still miles to go before IoT security could be called anything approaching robust.

In fact, many of the IoT devices being sold today still lack basic web application features like browser security headers and anti-CSRF tokens. Until these kinds of issues are addressed, the conclusions fronted by the SOHOpelessly Broken 3.0 report won't be much better than they are now.